Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

INTEGRAL vs CONFIDENTIAL

 
Marcin Cinik
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I have a question regarding servlet security. In the specification (in XSD) it stands:

A value of INTEGRAL means
that the application requires that the data sent between the
client and server be sent in such a way that it can’t be
changed in transit



CONFIDENTIAL means that the application
requires that the data be transmitted in a fashion that
prevents other entities from observing the contents of the
transmission


My questions:
* does INTEGRAL enforce mutual SSL authentication (so called SSL-client authentication) ? Or does it only indicate that certificate-based one-side server authentication should be conducted
* CONFIDENTIAL - it's pretty clear - when it's off - no encryption (which apparently is not mandatory in SSL), when it's on, encryption is also on - can someone confirm that ?
* is it possible in SSL to have only encryption without cert-based server authentication ? so server's identity is not confirmed by the browser ?
* how can I specify both INTEGRAL and CONFIDENTIAL - user-data-constraint is limited to allow only one transport-guarantee - should I specify 2 user-data-constraint ?





 
Sujoy Choudhury
Ranch Hand
Posts: 136
Eclipse IDE Ubuntu
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't know the answer but the Servlet specification says:

A user data constraint establishes a requirement that the constrained requests be
received over a protected transport layer connection. The strength of the required
protection is defined by the value of the transport guarantee. A transport
guarantee of INTEGRAL is used to establish a requirement for content integrity
and a transport guarantee of CONFIDENTIAL is used to establish a requirement
for confidentiality. The transport guarantee of “NONE” indicates that the
container must accept the constrained requests when received on any connection
including an unprotected one. A user data constraint consists of the following
element:
■ transport guarantee (transport-guarantee in deployment descriptor)

If no authorization constraint applies to a request, the container must accept the
request without requiring user authentication. If no user data constraint applies to
a request, the container must accept the request when received over any
connection including an unprotected one.


I am also trying to understand this.
If you get to know the answer please update this thread accordingly.
 
Marcin Cinik
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Unfortunately up to now I wasn't able to find answers - I'm too busy at the moment to investigate further. Maybe someone else already knows answers ?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In practice, both mean the same - SSL is required. That may be more important than what may have been intended when the spec was written :-)
 
Baachi Basu
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From the spec
'A user data constraint establishes a requirement that the constrained requests be
received over a protected transport layer connection. The strength of the required
protection is defined by the value of the transport guarantee. A transport
guarantee of INTEGRAL is used to establish a requirement for content integrity
and a transport guarantee of CONFIDENTIAL is used to establish a requirement
for confidentiality. The transport guarantee of “NONE” indicates that the
container must accept the constrained requests when received on any connection
including an unprotected one. A user data constraint consists of the following
element:
■ transport guarantee (transport-guarantee in deployment descriptor) '

which means - INTEGRAL : guarantees integrity, which means all data on wire is encrypted & signed by server, which is possible with one-way-ssl.
CONFIDENTIAL : guarantees confidentiality, which means all data on wire is encrypted & signed by server & client, which is possible with two-way-ssl.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic